4. Snort blacklist subnet not working

Snort blacklist subnet not working

  • J

    Hi,

    I want to block a whole subnet of ip addresses inside snort (e.g. 81.22.45.0/24 ) as I can see they are generating a lot of alerts. I have added this subnet to an IP List file and then applied that to my WAN IP Rep Blacklist files list.

    The problem is that ip addresses in this subnet are still generating alerts. I thought that the IP Rep blacklist would be processed before examing my rulesets. Is this right?

    How do I block a subnet before it gets to being processed by my snort rules?

    Thanks for the help!

    0

  • It is processed first and then those IPs don't hit the other rules, but they will still generate a "blacklist" alert. Are you getting alerts beside the "blacklist" alert?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy